MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e2f705aca77ac3ab2bf2b2b08a2adc515f2785ed865827eaf1e0283382bf0be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e2f705aca77ac3ab2bf2b2b08a2adc515f2785ed865827eaf1e0283382bf0be
SHA3-384 hash: 24e2f420ececec0f023f29b2df7cae147d079f6eda7f7136a79e38288303d60ce6aa915068a7db1022774009a05c36d0
SHA1 hash: 86f4fb24b5bb8d8594e727e737cf9ea7d69586f9
MD5 hash: fe8d5e7646c0f3ef151901a62707fa29
humanhash: kentucky-south-magnesium-july
File name:fattura.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:306'176 bytes
First seen:2020-05-14 07:02:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fadf26586613aac6b43f8476e980a863 (1 x Gozi, 1 x Loki)
ssdeep 6144:mwHC7z1Nad795L4vAUH25OiotgZuAC9JMgqmvIxW+k:mISz6d79OvtK+gUzVvMD
Threatray 404 similar samples on MalwareBazaar
TLSH 0C548DD173E0FC31D5666A3D892AD6AC163EB521AF34629B1F541A2F1E7039089F630F
Reporter abuse_ch
Tags:exe geo Gozi isfb ITA


Avatar
abuse_ch
Malspam distributing Gozi:

HELO: mx01.thecoz.it
Sending IP: 92.243.18.213
From: grande <sandra.pomardi@gsair.it>
Subject: Il tuo ordine 164798 e stato completato
Attachment: fattura_42.xls

Gozi payload URL:
http://gstat.chromaimagen.com/fattura.exe

Gozi C2:
http://gstat.ornamental-metals.com/images/

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/3709/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 07:36:48 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyxxawwko6wdvmv7fmvqrivnyuk7e6c63bsye7vpdybigobl6c7a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
09804594bd9f7b89264ce8fb599523eac20d915ad0976787d00627cc49909e2a
Gozi
51710ac663a6fd3bc7f166045d4cb38b1e1796195b4aab057b4133df8db9ef8b
Gozi
7899aae710988b1ddf4fca1d1f70a5f57fcb67b8491ab935e82f2ed46eda0bfb
Gozi
837becd51bb1bdb0e2b182704f727f9f7270737e4c0284df9739ddba3948aa83
Gozi
8faef49d64b36052e6648a0426fb2f71af70d9b434be548841a4707fada2410a
Gozi
92531c1c46721abadcbc92de961a40f50940f1409c31d84cbc8129ce860968e3
Gozi
acfc2a0c6eaf9209bc6036bd385b70fc6971b51ea9dab0eaefb5ac99b674b658
Gozi
bd27fe96b334c81e8b62bda3121306619ca317dad8a971daf0639cb896953006
Gozi
cb27ecf6bee0620962aa33d1fc0496a1a201b80b67b446fa9d25a9e67e32abca
Gozi
d92b637296f8fa8031ee7a36ac842225bce725f241963bb8afb737b2b3e4fa42
Gozi
+ 394 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-r3p17g6fxe/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_dreambot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

Excel file xls 1fa7f120fb85a57f5a7aba8d896c686c988233a29e3a0f6a9225917a9d6b79dc

Gozi

Executable exe 5e2f705aca77ac3ab2bf2b2b08a2adc515f2785ed865827eaf1e0283382bf0be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/362567/
  
Dropped by
MD5 49739bb4ae324268731684c90007ae80
  
Dropped by
SHA256 1fa7f120fb85a57f5a7aba8d896c686c988233a29e3a0f6a9225917a9d6b79dc
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/3709/
Cape
Cape
https://www.capesandbox.com/analysis/3708/

Comments


Avatar
commented on 2020-05-14 07:28:12 UTC

Additional Gozi C2s:
gstat.yourceocoach.com
gstat.rudyardmusic.com
gstat.marketingpsl.com
gstat.maxrehkopf.com